Internal Controls = Fraud Prevention
Ohio Township Association Conference January 27, 2016
Introduction Donald R. Owens Shareholder Internal Audit and Risk Advisory Services CPA, CFF, CIA, CFSA, CRMA, CBA Schneider Downs & Co., Inc. 41 S. High Street Suite 2100 Columbus, OH 43215 Email:
[email protected] Work Phone: (614) 586-7257 Cell Phone: (614) 271-8551 Fax: (614) 621-4062
2
Disclaimers IRS CIRCULAR 230 DISCLOSURE: Any tax advice contained in this communication (or in any attachment) is not included or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code, or (ii) for promoting, marketing or recommending to another party any transaction or other matter addressed in this communication (or in any attachment). The views expressed by the presenter do not necessarily represent the views, positions, or opinions of Schneider Downs & Co., Inc. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting, tax or legal advice or create an accountant-client or attorney-client relationship.
3
4
Presentation Take-Aways • Recognizing and assessing the various fraud threats in your environment • How to effectively design and conduct fraud risk assessment • Evaluating factors that contributed to corporate frauds
5
Recognize the Threat
6
Recognize the Threat
7
Recognize the Threat
8
Fraud and Its Faces • • •
Deliberate deception to secure unfair or unlawful gain Intentional deception of a person or entity by another made for monetary or personal gain Intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.
9
Fraud “Fraud and stupidity look an awful lot alike.” - Alan Bachman, CFE, MBA Education Manager at ACFE
10
Agenda Fraud – Types of Fraud – Basics of Fraud – Statistics – Red Flags – Prevention Fraud Risk Assessment Internal Controls Whistleblower Programs Resources
11
Types of Fraud FraudulentFinancial Reporting • Revenues • Expenses • Impropervaluationor misclassification
MisappropriationofAssets • Cashtheft • Fraudulentdisbursements • Payrollfraud • Expensereimbursement • Capitalassets/inventory
Corruption • Bribery • Bidrigging/Kickbacks • Illegalpayments • Conflictsofinterest • Aidingandabettingfraud (moneylaundering)
AlmostalwaysmaterialͲ directly impactsthefinancials
MayormaynotbematerialͲ directlyimpactsfinancials
MayormaynotbematerialͲ indirectlyimpactsthe financials
Almostalwaysinvolvessenior Caninvolveanylevelof management employee
Caninvolveanylevelof employee
Controlsarelesseffectivein preventinganddetecting fraud
Controlscanbedifficultand expensivetoimplement. Requiresclosescrutinyof employeeactivitiesandcost todobusiness
Controlscanbeeffective, particularlywithregardtothose belowtopmanagement
12
Types of Fraud TheftofSensitiveData • Customerandemployee personalinformation • Proprietaryinformation/ tradesecrets • Patents,copyrights,other legallyprotected intellectualproperty
DefraudingCustomers • Intentionally misrepresentingproducts andservices • Inflatinginvoices/duplicate billings • Shortingorders/product
Compliance • Undocumented employees • Unrecordedwages • Unreportedaccidents • Manipulationofdata • Unfair,deceptiveacts
Mayormaynotbematerial/ measurableͲ indirectly impactsthefinancials
MayormaynotbematerialͲ directlyimpactsfinancials
MayormaynotbematerialͲ indirectlyimpactsthe financials
Caninvolveanylevelof employee
Caninvolveanylevelof employee
Caninvolveanylevelof employee
Controlscanbedifficultand expensivetoimplement
Controlscanbeeffective, particularlywithregardto thosebelowtopmanagement
Controlscanbeeffectiveat alllevels
13
Types of Fraud
Key Areas of Concern: – – – – – – – –
Credit and Debit Cards Corruption Billing Cash theft Payroll Personal expenses Vendor Related Party 14
Basics of Fraud
Know that... – Fraudsters are creative – Fraudsters appear trustworthy – Fraudsters are long-standing reliable employees – Fraudsters are active members of the community – Fraudsters are sitting in cubicles near to you – Fraudsters are becoming more tech-savvy 15
Basics of Fraud “82% of fraudsters had never previously been punished or terminated by an employer for fraud-related conduct.”
Source: ACFE Report to the Nations on Occupational Fraud and Abuse (2014)
16
Basics of Fraud Fraud or Not – Teller removes cash from vault for personal use – CFO withdrawals funds from operating account and payroll, creates unsupported receivable entries to balance the records – Procurement Manager directs payment to his accounts – Executive uses company assets for personal business – Risk Manager receives lucrative gifts from vendors
17
Basics of Fraud The Fraud Triangle Rationalization (JustificationofAct)
Opportunity
Need/Pressure/ Motivation
(ProcessandControls)
(Influences/Incentives)
18
Basics of Fraud The Fraud Diamond/Rectangle Incentive
Opportunity
(Influences/Motivation)
(ProcessesandControls)
Rationalization
Capability
(JustificationofAct)
(Competencytoexecute)
19
Basics of Fraud • An organization CANNOT control a fraudster’s rationalization for his/her actions • An organization CAN control the opportunities for the fraudster to commit the crime • Consider the capabilities of employees to commit the crime (competence to execute) 20
Basics of Fraud Escalation Fraud Theory
21
Basics of Fraud Consequences Job loss Reduction in future funding Civil law suits Criminal prosecution Destroyed reputation (both entity AND the individual) – Long-term impairment of operations – – – – –
22
Fraud Statistics Sources of Detection 0.6% 1.9%
1.9%
0.9%
2.8%
DetectionMethod 0.4%
2.4%
5.9%
6.2% 45.1%
15.3%
16.5%
2014AssociationofCertifiedFraudExaminersFraudStudy
23
Fraud Statistics
24
Tip InternalAudit ManagementReview ByAccident AccountReconciliation DocumentExamination ExternalAudit NotifiedbyPolice Surveillance/Monitoring Confession ITControls Other
Fraud Statistics
25
Fraud Statistics
26
Fraud Statistics
27
Fraud Red Flags Ethics and Fraud are so inter-connected. Without a strong ethical culture, fraud risk exponentially increases. In most fraud cases uncovered, indicators that a fraud was occurring were evident to others. However, human nature is to continue to trust those around us even when faced with evidence to the contrary. Misplaced Trust is a Great Facilitator of Fraud 28
Fraud Red Flags Fraud Opportunity Employee’s years of service X Number of key responsibilities residing with the employee X Organization’s complacency level with respect to validating controls and monitoring activities = Potential for fraud to be committed
29
Fraud Red Flags Employee Habits Lifestyle or behavior changes Personal debt or credit problems Refusal to take vacation or sick leave Excessive overtime Does not produce information voluntarily Volatile, arrogant, confrontational or aggressive when challenged – Indignant with respect to training a back-up – – – – – –
30
Fraud Red Flags Management – – – – – – –
Reluctance to provide information Dominates all decisions Overrides internal controls High employee turnover Unusual transactions made outside of the system Financial distress/exhibits stress Retains excessive authorities and duties (Lack of segregation)
31
Fraud Red Flags Operational Indicators – Large number of write-offs – Discrepancies between bank deposits and postings/books – Excessive/unjustified cash and/or adjusting entries – Incomplete/untimely bank reconciliations – Lack of support for or tracking of transactions
32
Fraud Red Flags Cash Receipts and Disbursements – Lack of segregation of key duties • Physical/Manual Duties • System Capabilities – Missing deposits – Absence of a cash receipt log – Lack of controls over management signature – Uncontrolled access to blank checks
33
Fraud Red Flags Purchasing – Lack of segregation of key duties – Excessive/unusual exceptions to purchasing policies – Uncontrolled access to the vendor master file – Vendors with employee names/addresses – Duplicate purchase orders – Copies of invoices used to pay vendors – Less than arms-length transactions and conflicts of interest – Undue influence
34
Fraud Red Flags Fixed Assets – – – –
Lack of segregation of key duties Lack of periodic inventory of assets Lack of asset tags/tracking Lack of physical security
35
Fraud Prevention MAIN TAKE-AWAY
“Awareness” 36
Fraud Prevention
37
Fraud Prevention • • • • • • • • • • • •
Adequate resources Robust hiring practices Periodic audits/reviews Conflicts of interest policies and practices Insist on adequate documentation Tone at the top Open door policy Culture of compliance and ethics On-going and required anti-fraud training Fraud reporting tool (hotline) Fraud risk assessments Strong internal controls
38
Fraud Risk Assessment
Developa FRA Framework
Populate fraudrisks
Rate Identify probability controlsand and assess impact alignment
39
Identify gaps
Remediation
Fraud Risk Assessment Identify Opportunities to Commit Fraud –
Create a profile that includes a list of the different areas in which fraud may occur and the types of fraud that are possible in each area (brainstorming, analysis of prior frauds, public information/Google alerts)
–
Consider the various types of schemes and scenarios that could occur within an organization
–
Don’t overlook information technology impact (enabler or deterrent)
40
Fraud Risk Assessment Measuring Fraud Risk Probability/Likelihood Prior instances, prevalence, and other factors, including volume of transactions and complexity, and number of people involved in the process should be considered • Remote • Reasonably possible • Probable
41
Fraud Risk Assessment Factors to Measure Probability – – – – – –
Controls or lack of Integrity of the organization Organizations are downsizing Budgets are decreasing Organizations are doing more with less Stressed and disaffected employees
42
Fraud Risk Assessment Measuring Fraud Risk Impact/Severity Should include financial, monetary, operational, reputational as well as criminal, civil and regulatory liability considerations • High • Moderate • Low
43
Fraud Risk Assessment Other Measures to Consider: – – – – –
Probability/likelihood Impact/severity Velocity/speed Frequency/persistence Direction of risk
44
Fraud Risk Assessment
45
Fraud Risk Assessment
46
Fraud Risk Assessment
47
Internal Controls
48
Internal Controls Designing and Implementing Controls •
•
Control Design –
Aligned with relevant fraud risks
–
Executed by competent and objective individuals
Control Effectiveness –
Evidence available to support whether control is operating as intended
–
Control executed at a frequency appropriate to the fraud risk
49
Internal Controls Types – Preventive – Intended to reduce the risk of fraud occurring to an acceptable level – Detective – Intended to flag potential risk that a fraud occurred in a timely manner – Persuasive – Tone and culture of the organization, its belief system – Competence – Aptitude to recognize when something is not right
50
Internal Controls Preventive Controls – Human Resources procedures • • • •
– – – –
Recruiting/hiring – smart, honest, ethical Background investigations Anti-fraud training Exit interviews
Restricted access (physical and system) Segregation of duties (limit keys to the kingdom) Authority limits Transaction-level controls – approvals, reviews
51
Internal Controls Detective Controls – Variance analysis – with communication and follow-up on unusual variances or items outside of thresholds – Comparison of internal data to external sources – Reconciliations – Surprise audits – Whistleblower hotline – Exit interviews (HR)
52
Internal Controls Detective Controls (cont.) – Independent reviews – Physical inspections and counts – Special audits – (e.g., expense reports, P-card, cash counts)
53
Internal Controls Persuasive Controls – – – – –
Formal code of ethics/conduct Whistleblower hotline Management setting appropriate example Positive workplace environment Honest and constructive feedback and recognition • Eliminate fear of delivering “bad news” • Treat employees with fairness • Organizational responsibilities clearly defined • Strong communication practices and methods • Direct communication vs. innuendo
54
Internal Controls Competence – Possesses required skill, knowledge, qualification, and/or capacity – Requires knowledge of expected outcomes and incentives to report – Is empowered to report concerns – Effectively performs the duties of ones positon – Has an awareness of the duties of those around them
55
Internal Controls
56
SEC/IRS/DOJ Whistleblower Programs IRS Program Rules •
The law provides for two types of awards. If the taxes, penalties, interest and other amounts in dispute exceed $2 million, and a few other qualifications are met, the IRS will pay 15 percent to 30 percent of the amount collected….
•
The IRS also has an award program for other whistleblowers generally those who do not meet the dollar thresholds of $2 million in dispute or cases involving individual taxpayers with gross income of less than $200,000. The awards through this program are less, with a maximum award of 15 percent, up to $10 million....
57
SEC/IRS/DOJ Whistleblower Programs DOJ and SEC The Dodd–Frank Wall Street Reform and Consumer Protection Act: • There have been several attempts to create special whistleblower incentives in the financial sphere specifically with protection from retaliation, which Dodd-Frank now does best: • Section 922 of the Act laid out critical incentives to bring forth whistleblowers, including (1) financial compensation, as well as, (2) protection under the law from criminal penalties. • Individuals who report valuable information to the SEC or DOJ on securities fraud like insider trading, fraud, money laundering, and so forth are entitled to up to 30% of any settlements that result in over $1 million payments collected .
58
SEC/IRS/DOJ Whistleblower Programs DOJ False Claims Act (nicknamed the “Lincoln Law”) • From 1986 to 2014, the United States government recovered $44 billion under the False Claims Act. More than two-thirds of this, about $30.3 billion, was recovered in cases filed by whistleblowers under the qui tam provisions of the False Claims Act. • Whistleblowers have received over $4.7 billion under the False Claims Act. In 2014 alone, whistleblowers helped recover approximately $3 billion and were awarded over $435 million.
59
SEC/IRS/DOJ Whistleblower Programs • The Securities and Exchange Commission today announced an expected award of more than $30 million to a whistleblower who provided key original information that led to a successful SEC enforcement action. • The Securities and Exchange Commission today announced a whistleblower award of more than $300,000 to a company employee who performed audit and compliance functions and reported wrongdoing to the SEC after the company failed to take action when the employee reported it internally. • Former UBS AG banker who went to prison after telling the Internal Revenue Service how the bank helped thousands of Americans evade taxes, secured a whistleblower award of $104 million, which is the largest individual federal payout in U.S. history. • The Department of Justice has paid nearly $3 billion in rewards to everyday citizens for reporting fraud. The average reward is $1.5 million. 60
SEC/IRS/DOJ Whistleblower Programs
Better a company promotes and encourages employees to report matters through an internal whistleblower hotline than to face the uncertainty associated with inquiries from the SEC, IRS, DOJ or other government agency responding to anonymous complaints received through the agency’s hotline.
61
Resources Ohio Auditor of State https://ohioauditor.gov/fraud.htm
[email protected] Call 1-866-Fraud-OH (1-866-372-8364) AICPA Fraud Resource Center http://www.aicpa.org/INTERESTAREAS/FORENSICANDVALUATION/RE SOURCES/ The AICPA offers a variety of resources and training to assist CPAs in both public accounting and industry to help them improve their skills in the practice of fraud prevention, detection, and investigation.
62
Resources Association of Certified Fraud Examiners (ACFE) http://www.acfe.com/rttn.aspx Report to the Nations Frank W. Abagnale http://www.abagnale.com/company.htm Free resources are available on this site The Institute of Internal Auditors https://na.theiia.org/ttraining/Pages/F Fraud-Courses.aspx Browse a list of fraud courses offered by The IIA and fraud related materials
63
As one of the largest certified public accounting and business advisory firms in the region, Schneider Downs serves clients throughout the country and around the world. By integrating high-quality resources, systems and personnel, Schneider Downs has built a reputation of delivering individualized services built on insight, innovation, and experience to meet each client’s specific needs. For more information, visit us at www.schneiderdowns.com
SchneiderDowns 64